1. Field of the Invention
The present invention relates to a method of generating a Message Authentication Code (MAC) using a stream cipher and authentication/encryption and authentication/decryption methods using a stream cipher, and more particularly, to a method of generating a MAC that can be computed in parallel using a safe and efficient stream cipher and authentication/encryption and authentication/decryption methods using a stream cipher and using a MAC as an initialization vector of the stream cipher.
2. Discussion of Related Art
MACs are used to provide data integrity. Data integrity can be checked by a function of checking whether or not received data or stored data is the same as original data when the data has been transmitted or stored. Typical methods of generating a MAC use a Hash Message Authentication Code (HMAC) using a keyed hash function, a cipher-based MAC (CMAC) using a block cipher, and so on.
A stream cipher is an encryption primitive frequently used to provide confidentiality, like a block cipher. In general, in comparison with a block cipher, a stream cipher can be implemented in lightweight hardware and operated at high speed in software. In an encryption process, a stream cipher creates a ciphertext by Exclusive-ORing (XORing) a message with a key stream generated using a secret key, and thus a user ignorant of the key streams can readily change a message at a desired part. Due to such a characteristic, a stream cipher is considered to be difficult to provide a MAC function.
A MAC is a value calculated using data as an input value. When data transfer is performed between 2 users, a transmitter adds a MAC behind the data and transmits the data, and a receiver generates a MAC from the data and checks whether or not the generated MAC is the same as the transmitted value. In a field not requiring cryptographic safety, a method which uses a checksum, such as a parity bit, Cyclic Redundancy Check (CRC), etc., and a hash value is frequently used to provide data integrity. Such a method can check a simple error like a transmission error but cannot prevent falsification by a malicious user. To cryptographically solve the problem, a method is used which allows only a user having a previously shared secret key to generate a valid MAC.
Typical methods of generating a MAC using a secret key are a hash-function method using a key and a method using a block cipher. In 1996, Bellare et al. disclosed an HMAC that is a MAC according to a keyed hash function (“Keying Hash Functions for Message Authentication,” by M. Bellare, R. Canetti, and H. Krawczyk, Advances in Cryptology-CRYPTO '96, LNCS 1109, pp. 1-15, Springer-Verlag, 1996). According to the HMAC, when a message M is provided, a MAC is generated as H(K⊕opad.H(K⊕ipad.M)) using a hash function H and a secret key K. Here, opad and ipad denote predetermined constants.
The MAC generation method using a block cipher includes a Cipher Block Chaining (CBC)-MAC algorithm using a CBC operation mode, a CMAC algorithm, and so on. The CBC-MAC algorithm chains a previous block ciphertext and a next block plaintext to create the next block ciphertext, and is a method using a block cipher operation mode frequently used to encrypt data. A CBC-MAC is known to be unsafe for a falsification attack, and various MAC generation methods using a block cipher have been suggested to solve this problem. In 2003, Iwata and Kurosawa have suggested a one-key CBC-MAC (OMAC) that is a modified CBC-MAC (“OMAC: One-Key CBC-MAC,” by T. Iwata and K. Kurosawa, Advances in Cryptology-FSE 2003, LNCS 2887, pp. 129-153, Springer-Verlag, 2003). After this, the OMAC has been included in a block cipher operation mode recommendation of National Institute of Standards and Technology (NIST) under the name CMAC.
MAC generation methods using a stream cipher have not been researched as much as the MAC generation methods using a block cipher and a hash function. In the Republic of Korea, a MAC generation method using a stream cipher was first suggested by Jae-woo HAN and Dong-hoon LEE and registered as a domestic patent (Patent Registration No. 0578550, “Method of Generating Message Authentication Code Using Stream Cipher”). The method applies a block cipher-based CBC-MAC to a stream cipher and uses 2 keys to solve the problem of a CBC-MAC. Meanwhile, Ferguson et al. suggested a stream cipher Helix providing an authentication function (“Fast Encryption and Authentication in a Single Cryptographic Primitive,” by N. Ferguson et al., Advances in Cryptology-FSE 2003, LNCS 2887, pp. 330-346, Springer-Verlag, 2003). After this, Whiting et al. improved Helix and suggested a stream cipher Phelix to eSTREAM that is a European Union led project in designing the best stream ciphers.
According to a recent trend in stream cipher design, an initialization vector is used in all stream ciphers, and the length of the initialization vector is made to be longer than the length of a secret key in consideration of a Time-Memory Trade Off (TMTO) attack. For example, when a 128 bit secret key is used, it is designed to use an initialization vector equal to or more than a 128 bit value.
The above-mentioned MAC generation method using a stream cipher suggested by Jae-woo HAN et al. has the same safety drawback as the CBC-MAC, and cannot be computed in parallel because data is processed by a chaining method.
A technique simultaneously performing authentication and encryption is referred to as an authenticated encryption method, which is mostly researched in the field of block cipher theory. A widely-known block cipher authenticated encryption method may be an Offset Codebook (OCB) mode suggested by Rogaway et al. (“OCB: A Block Cipher Mode of Operation for Efficient Authenticated Encryption,” by P. Rogaway, M. Bellare, J. Black, ACM TISSEC 6(3), pp. 365-403, 2003). While research is being conducted on a stream cipher providing an authentication function, such as above mentioned Phelix, etc., little research corresponding to an operation mode of a block cipher is being conducted in the field of stream ciphers.
Hitherto suggested MAC generation methods are mostly based on a hash function and a block cipher. Since block ciphers are frequently used to provide a variety of functions, such as pseudorandom number generation, message authentication, etc., as well as confidentiality, stream ciphers are not used as much as in the past. In general, stream ciphers are known to have advantages in a low-power and lightweight hardware environment and a high-speed software environment, in comparison with block ciphers. In particular, as a demand for an encryption function increases in a low power and lightweight environment, such as a sensor network, a Radio Frequency Identification (RFID) system, etc., the role of stream ciphers are being expanded.